Access to data and systems is critical to business operations and resiliency, but it also presents tremendous risk.
Most organizations perform credential management, authentication and authorization functions with identity and access management tools, but these systems aren’t foolproof.
IAM presents organizations with a host of potential problems. They are subject to software vulnerabilities, and exploits can facilitate access to multiple systems and data across the organization.
The National Security Agency and the Cybersecurity and Infrastructure Security Agency released IAM guidelines Tuesday to help administrators hinder unauthorized access into their systems.
IAM systems are “foundational to security and also very complex and subject to vulnerabilities if not implemented correctly,” the agencies said in the paper. “Securing IAM infrastructure is critical.”
Password managers, single sign-on services and multifactor authentication are all part of the IAM collective, and all were compromised multiple times last year.
A sustained attack against LastPass went undetected for months and became one of the most alarming security incidents of 2022 when most of the data held by the password manager was compromised.
Okta last year got hit by a phishing attack, a breach and had its GitHub source code stolen. And Twilio’s widely-used two-factor authentication service was compromised after multiple employees were duped into providing their credentials to threat actors.
Detecting malicious activity via IAM is difficult for organizations because access often appears legitimate. “This provides the bad actor more time to gain access to resources and elevate privileges to gain persistent access,” the agencies said.
Focus on prevalent IAM threats
The guidelines focus on threats deemed highly likely, highly impactful, or both, and authorities shared mitigations for techniques threat actors use most frequently to exploit or bypass IAM controls.
The most common methods threat actors use against IAM include:
- New account creation
- Control of former employee accounts
- Exploitation of vulnerabilities to forge authentication
- The creation or use alternative access points
- Exploit legitimate user access
- Access systems and exploit stored credentials
- Compromise passwords via phishing, MFA bypass, credential stuffing or social engineering
Federal authorities and other members of the working group concentrated guidance around five IAM threat mitigation techniques.
Administrators are encouraged to:
Centralize policies for users and assign appropriate access to support the principle of least privilege, which only gives users access to systems required for their job.
Pair these policies with a privileged access management tool to mitigate the impacts of phishing, social engineering, insider threats and unauthorized account creation designed to maintain persistence.
Harden your infrastructure
Take inventory of all assets and identify who has access. Discern what controls already exist in the enterprise environment to pinpoint persistent security gaps and develop a network traffic baseline to detect anomalous activity.
Align identity and single sign-on
Take stock of on-premises resources, including applications, devices and platforms, and your cloud providers’ ability to connect to those assets via single sign-on.
Verify if your organization’s single sign-on integration can collect the location, device and behavior of user logins.
Use multifactor authentication
Identify and implement an MFA solution as part of your organization’s single-sign on solution. Consistently test and patch MFA infrastructure and keep inventory of the MFA authenticators deployed across the organization.
Monitor and audit IAM
Establish baseline expectations for activity and monitor user behavior to understand acceptable and suspicious behavior. This should include monitoring of users' successful and unsuccessful login attempts, typical hours worked, systems accessed and amounts of data downloaded.
To detect a potential threat actor moving laterally within your network, monitor activity between applications and systems, including unusual changes in connectivity, activity and data access.
“Remember that data exfiltration attacks may be low and slow so a change may be small, but ongoing,” authorities said in the paper. “Be careful not to include this in an accepted baseline of activity.”